---
page_title: "cloudflare_origin_ca_certificate Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a Cloudflare Origin CA certificate used to protect traffic to your origin without involving a third party Certificate Authority.
---

# cloudflare_origin_ca_certificate (Resource)

Provides a Cloudflare Origin CA certificate used to protect traffic to your origin without involving a third party Certificate Authority.

~> Since [v3.32.0](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v3.32.0)
   all authentication schemes are supported for managing Origin CA certificates.
   Versions prior to v3.32.0 will still need to use [`api_user_service_key`](../index.html#api_user_service_key).

## Example Usage

```terraform
resource "tls_private_key" "example" {
  algorithm = "RSA"
}

resource "tls_cert_request" "example" {
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = ""
    organization = "Terraform Test"
  }
}

resource "cloudflare_origin_ca_certificate" "example" {
  csr                = tls_cert_request.example.cert_request_pem
  hostnames          = ["example.com"]
  request_type       = "origin-rsa"
  requested_validity = 7
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `csr` (String) The Certificate Signing Request. Must be newline-encoded. **Modifying this attribute will force creation of a new resource.**
- `hostnames` (Set of String) A list of hostnames or wildcard names bound to the certificate. **Modifying this attribute will force creation of a new resource.**
- `request_type` (String) The signature type desired on the certificate. Available values: `origin-rsa`, `origin-ecc`, `keyless-certificate`. **Modifying this attribute will force creation of a new resource.**

### Optional

- `min_days_for_renewal` (Number) Number of days prior to the expiry to trigger a renewal of the certificate if a Terraform operation is run.
- `requested_validity` (Number) The number of days for which the certificate should be valid. Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`. **Modifying this attribute will force creation of a new resource.**

### Read-Only

- `certificate` (String) The Origin CA certificate.
- `expires_on` (String) The datetime when the certificate will expire.
- `id` (String) The ID of this resource.

## Import

Import is supported using the following syntax:

```shell
$ terraform import cloudflare_origin_ca_certificate.example <certificate_id>
```
